Audit of Human Resources Management System Data Integrity

Global Affairs Canada
Office of the Chief Audit Executive

June 2017

Acronyms

Executive Summary

In accordance with Global Affairs Canada’s 2016-2019 Risk-Based Audit Plan, the Office of the Chief Audit Executive conducted the Audit of Human Resources Management System (HRMS) data integrity. HRMS runs on PeopleSoft, a commercial-off-the shelf system modified to meet common Government of Canada Human Resources and legislative requirements. The objective of this audit was to provide assurance that Global Affairs Canada has measures in place to ensure human resources related activities are supported by accurate, complete and timely data.

Why was this audit important?

Senior management across the department expressed concerns about HRMS data, in particular, the accuracy of data related to organizational charts and dashboards. In July 2016, Global Affairs Canada’s Human Resources Branch (HCM) provided an update to Corporate Management Committee (CMC) on CBS positions and presented their HRMS data integrity rate as well as an action plan to address data integrity shortcomings.

What was examined?

The audit team examined the management framework supporting the integrity of human resources data. The data integrity of HRMS was also tested to assess the progress of management action plans.

What was found?

The current governance structure provides limited oversight of HRMS data integrity, as in-depth technical expertise is missing to identify needs and propose solutions, and to allow for an integrated and detailed discussion on HRMS data quality. In addition, roles and responsibilities related to HRMS data integrity are not clearly defined.

Although there is a process in place to track, monitor and report on HRMS data integrity, Global Affairs Canada does not perform risk analysis on data errors, [REDACTED]

[REDACTED] Data entry in HRMS was accurate when supported by a standardized-system form. However, data entry is not always supported by documented procedures. The HRMS data integrity rate for the period under scope was 81%.

The Business Intelligence (BI) Organizational Chart Tool was not properly calibrated and produced erroneous organization charts; it was subsequently corrected by management and now works as intended.

There is no control in place for data outputs to verify the accuracy of HR data before release to senior management or submission of mandatory HR reports to central agencies and third-party service providers.

What was concluded?

Global Affairs Canada has measures in place to ensure that human resources related activities are supported by accurate, complete and timely data. However, important governance, monitoring and control areas for data integrity improvements remain.

Statement of Conformance

In my professional judgment as Chief Audit Executive, this audit was conducted in conformance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and with the Treasury Board Policy and Directive on Internal Audit, as supported by the results of the quality assurance and improvement program. Sufficient and appropriate audit procedures were conducted, and evidence gathered, to support the accuracy of the findings and conclusion in this report, and to provide an audit level of assurance. The findings and conclusion are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon with management and are only applicable to the entity examined and for the scope and time period covered by the audit.

Brahim Achtoutal 
Chief Audit Executive

1. Introduction

The goal of human resource (HR) management activities at Global Affairs Canada is to build a capable, confident and high-performing workforce. The Department has an extensive and diverse network of Canada Based Staff (CBS) at headquarters, across Canada, and at missions abroad which brings more complexity to HR management. As at December 31, 2016, Global Affairs Canada’s Workforce Dashboard reported 6,012 active CBS employees, approximately 78% working in headquarters, 20% in missions around the world and 2% in regional offices. Half of CBS employees are rotational or mobile and change positions every two to five years. These numbers include a population of temporary employees under a variety of hiring mechanisms, such as term, casual employment, and student contracts. Global Affairs Canada also employed 4,884 Locally-Engaged Staff (LES) to support CBS employees located in missions abroad. A reliable human resources system is critical to support decision making.

1.1 Background

Global Affairs Canada relies on the quality of HR data for planning, monitoring and reporting on HR-related activities. The HR Branch (HCM) is responsible for the timely input of data, performing analyses and providing accurate reports as requested by management on HR-related activities. Branches are responsible for providing accurate information to HCM on HR-related activities.

HRMS refers to the HR Management System (i.e. PeopleSoft), the system used for the management of HR. PeopleSoft is a commercial-off-the-shelf system modified to meet common Government of Canada HR and legislative requirements, providing an integrated platform for the management of HR information. HRMS is Global Affairs Canada’s authoritative tool for supporting the processing of HR business transactions, including compensation, leaves, classification, staffing, staff relations, employment equity, official languages, labour relations and security.  HRMS reports are used by staff in HCM, Branch Management Offices (BMO), Finance, Client Relations and Mission Operation, Labour Relations, Security and Training.  Managers have the ability to submit their HR staffing or classification action requests (standardized-system forms) based on their operational business needs.

The definition of data integrity refers to the correctness, completeness, soundness and compliance with the intention of the creators of the data. Integrity is a critical aspect of the design, implementation and usage of any system which stores, processes or retrieves data. The overall intent of any data integrity technique is to ensure data is recorded as intended and upon later retrieval. In short, data integrity aims to prevent incomplete and unintentional changes to information.

The Global Affairs Canada 2016-17 Integrated Corporate Business Plan (ICBP) identified that HRMS data has an “impact on a range of departmental operations and decisions, including staffing, classification, competitions, and performance management completion rates.” Senior management committees, such as the Corporate Management Committee (CMC) and the Executive Board (ExBo), have identified HRMS data integrity as a continuous challenge.

During the Preliminary Survey of HR Administrative Processes conducted by the Office of the Chief Audit Executive (OCAE) in 2015-2016, HCM and senior managers across the Department expressed concerns about HR data, most notably surrounding the accuracy of data related to organizational charts and dashboards. HCM is aware that data supporting organizational charts in HRMS does not reflect the Department’s current situation. As stated in the Global Affairs Canada’s 2016-17 ICBP, “as part of the 2016-17 ICBP process, HCM launched a department-wide initiative to improve HRMS data integrity. To that effect, in February 2016, the CMC decided that HRMS data would be the authoritative source of HR positions and that positions identified as vacant for two years would be abolished if they were not in the branch’s HR Plan.

1.2 Audit Objective and Scope

The objective of this audit is to provide assurance that Global Affairs Canada has measures in place to ensure that HR activities are supported by accurate, complete and timely data. This audit also informs senior management of the progress of HR strategies and their related action plans to address concerns related to the Human Resources Management System (HRMS).

The audit examined whether Global Affairs Canada has a management framework in place to support HRMS data integrity and whether HRMS provides quality information, supports strategic requirements, and facilitates decision-making and reporting.

The focus of this audit was on active CBS employees. HRMS data for LES was scoped out of the audit as it is not used for compensation purposes and is not currently included in HCM’s report on data integrity. The audit criteria are outlined in Appendix A.

2. Audit Observations

The following observations are based on documentation review, data analysis, audit testing and interviews with key personnel.

2.1 Governance structure for data integrity

Governance refers to the presence of oversight bodies and is important to ensure that management’s directions, plans, and actions are appropriate and responsible. The audit team expected to find a well-defined and applied governance structure, with the technical expertise to review and oversee HRMS data integrity at Global Affairs Canada. To assess this, the audit team examined processes and structures implemented to inform, direct, manage, and monitor the activities related to data integrity (against COBIT^{Footnote 1} guidelines for best practice) to determine if there were appropriate departmental representation and expertise to advise senior management on the department’s data integrity action plan. This would include:

• identifying HRMS data quality issues;
• identifying accountability, roles and responsibilities of stakeholders involved in the HRMS data life cycle;
• establishing methodology for measuring errors and an action plan to implement activities for permanently maintaining data quality in HRMS; and
• proposing for approval an acceptable tolerance level for error.

Overall, the audit found that the governance structure for HRMS data integrity is only partially defined and applied for review and oversight. Specifically, the governance structure of HRMS data integrity is limited to the ExBo and the CMC. Although in 2016, two presentations related to HRMS data integrity were made to the CMC by HR Corporate Strategies, Operational Services Bureau (HSD-responsible for HRMS data integrity), members of these management committees may not have the in-depth, technical subject matter knowledge for resolving issues related to HRMS data integrity and related action plans.

2.2 Accountability, roles and responsibilities

The audit team expected to find that Global Affairs Canada has defined, documented and communicated accountability, roles and responsibilities related to HRMS data integrity. To assess this, the audit team examined the roles and responsibilities as defined by the Treasury Board Secretariat (TBS) and the Department.

Overall, the audit team found that accountability, roles and responsibilities related to human resources information were generally defined through TBS policies and directives. Global Affairs Canada has not further defined or documented roles and responsibilities related to HRMS data integrity.

Accountability for information management is assigned to the deputy head through the TBS Policy on Information Management. The TBS Directive on Information Management Roles and Responsibilities is issued under the authority of Section 7 of the Financial Administration Act (FAA) and pursuant to Section 3.4 of the above-stated Policy on Information Management. The Directive states that managers at all levels in a department are also responsible for managing information as an integral part of their program and service delivery and to ensure the authenticity, and integrity of the information.

The audit team found that employees within HCM were knowledgeable of their accountability, roles, and responsibilities related to HRMS data integrity. However, roles and responsibilities for the business process related to HRMS data integrity for all stakeholders are not documented. For instance, the audit team found inconsistency in the roles and responsibilities of the BMOs related to maintaining data integrity and that there were no formal responsibilities for reviewing HR data accuracy on dashboards and HR reports prior to their release to senior management or central agencies. Appendix B illustrates different groups’ roles and responsibilities to enhance Global Affairs Canada’s data quality governance structure.

Recommendation 1:

Global Affairs Canada’s Assistant Deputy Minister (ADM) of Human Resources (HCM) should document accountabilities, roles, and responsibilities related to HRMS data integrity, including a role for a technical expert to advise senior management.

2.3 Monitoring HRMS data integrity

The audit team expected to find a process to track, monitor and report on HRMS data integrity, and to take corrective measures when needed. To assess this, the audit team examined the monitoring tools to capture and record database transactions and report on data quality. 

The audit team found that no risk analysis has been performed on data errors [REDACTED] CMC has not received regular updates on monitoring data error rates or data error types. In July 2016, HCM provided an update to Corporate Management Committee on CBS positions and presented the Committee with an HRMS data integrity rate of 86% and a summary action plan with corrective measures. Despite the monitoring practices in place it is difficult for HCM to be fully aware of the sources of errors affecting HRMS data integrity and whether the corrective measures were effective.

HR Support Services and Priority Management (HSOA) performs over 200 daily, bi-monthly and monthly queries to capture data issues and submits error reports to data owners for correction(HR assistants and HR advisors). HR advisors review their files and the documented evidence available in order to support data correction provided by the sub-delegated manager. HSOA provides data owners with tools and training to increase the quality of data monitoring activities. However, a tolerance level would inform priorities for information management, improve operational, control, and monitoring frameworks and possibly lead to a review of roles and responsibilities. Current monitoring does not provide information on HRMS data integrity error rates. Specifically:

• HSOA does not keep a log of data errors from its monitoring activities, such as the date on which errors were captured and corrected, reasons for errors, frequency of errors or corrective measures to mitigate the likelihood that the same type of errors re-occur.
• There are no documented procedures to ensure that corrections have been made, no standardized-system form is in use to receive data correction information, and the HR action request standardized-system form is not always in use for data entry.
• No monitoring error reports were presented to a senior management committee for the period under scope. There were no records of decision indicating that senior management agreed on goals and metrics related to compliance, performance and risk, classification, the relationship between goals and metrics, and data (evidence) retention.

Recommendation 2:

The ADM of HCM should undertake a risk analysis as the basis to determine and seek senior management approval of a level of tolerance for HRMS data errors.

2.4 Business process controls for data integrity

2.4.1 Data inputs

Granting user accesses

The audit team expected to find a defined and documented business process control framework in place for data inputs. The audit team examined the business controls in place surrounding granting user accesses and HRMS roles.

The audit team expected that user access would be granted on an as-needed basis to active employees. As the highest risk for data integrity is attributed to users with the ability to modify data, all users assigned modification roles were selected from the list of HRMS users.

The audit team found that the controls were adequate for granting user accesses, as well as the related monitoring activities. These controls were in compliance with the TBS Operational Security Standard: Management of Information Technology Security. HRMS users had appropriate accesses and were provided with training.

Approving HR action requests

The audit team expected that approval to initiate a classification and/or staffing action would be in compliance with the delegation of authority, as specified on the HR action request standardized-system form. The HR action request includes two types of approvals: delegated financial authority; and HR sub-delegated authority. To verify that this control was functioning and that employees with appropriate delegated authority approved the requests, the audit team analyzed all HR action requests for the period under scope.

[REDACTED]

Delegated financial authority.  For the period under scope, there were 9,349 HR classification and staffing action requests recorded in HRMS with an approved Finance section containing the names of 699 employees. The audit team found that 34 out of 699 (4.9%) employees who were named on the request did not have delegated financial authority, as required on the standardized-system form. The audit scope was limited to approvals which impact data integrity.

HR sub-delegated authority.  For the same period under scope, there were 229 employees who approved requests under the HR section. The audit team found that 40 out of 229 (17.5%) employees who approved the requests did not have sub-delegated classification and/or staffing authority, as required on the standardized-system form.

In addition, the audit team found data is not entered in HRMS solely based on HR action requests. For example, a spreadsheet linked with the Assign-O-Matic application (from the Assignment and Pool Management unit) as well as other informal and undocumented requests are currently accepted to initiate a data entry. The delegated financial and HR sub-delegated authorities were respected in the case of the Assign-O-Matic spreadsheet. The information from this system is part of a commonly accepted departmental business process. The information is shared with HR assistants to ensure that HRMS has accurate data on these employees. The audit team could not perform tests to ensure compliance with financial and HR authorities when an HR action request is undocumented and communicated informally.

Entering data in HRMS

The audit team expected that data entry in HRMS was complete and processed accurately. To assess this, the audit team selected a sample of 60 employees for which HR staffing action requests were completed during the period under scope, and selected the latest HR action request for the period. The audit team also performed testing procedures on 1,653 positions from the Assign-O-Matic database. The information on the HR staffing action request and in Assign-O-Matic was compared with HRMS data and no significant discrepancies were found. The audit team also found that the PSPC overwrites compensation fields within HRMS on a daily basis. Global Affairs Canada does not systematically monitor the HRMS fields that may have been overwritten by the PSPC.

Recommendation 3:

The ADM of HCM should ensure that all HR actions are documented and initiated through a standardized-system form to protect HRMS data integrity.

Recommendation 4:

The ADM of HCM should ensure the accuracy of the compensation fields in HRMS by reconciling these fields when they are overwritten by the PSPC.

2.4.2 Data outputs

HRMS - Organizational charts

The audit team expected the information in the approved client organizational charts would correspond to the information in HRMS.

In order to determine whether the HRMS database represented the actual situation as at February 2017, the audit team selected nine approved organizational charts from divisions within Global Affairs Canada. The audit team encountered an issue extracting these organizational charts from HRMS using the Business Intelligence (BI) Organizational Chart Tool; 35 out of the 201 client positions (17%) were missing.
The BI Organizational Chart Tool used to generate organizational charts from HRMS was not properly calibrated and produced erroneous organization charts. This may explain senior management concerns identified during the Preliminary Survey related to the accuracy of HRMS data and organizational charts. The BI Organizational Chart Tool has now been corrected by HCM and works as intended.

Of the nine sampled approved client organizational charts, the audit team examined the accuracy of HRMS data for a total of 212 positions. The audit team found that 19 positions appeared in HRMS but not in the sampled client’s approved organizational chart because HCM had not yet abolished the positions in HRMS. Nine fields reproduced on approved clients' organizational charts were compared with HRMS information, namely: the branch, position title, position number, employee's name, category, classification, language requirement, and, supervisor's name and position number. The audit team was able to compare 1,784 fields and found 337 discrepancies (19%) related to these 212 positions, representing an HRMS data integrity rate of 81%.

To restore HRMS data integrity, the nine selected clients needed to submit a total of 109 HR action requests. The audit team found that 66 (61%) of the 109 HR actions requests were initiated by clients and were being processed by HCM. The other 39% were not submitted by clients, and therefore HSD is unable to make corrections to HRMS. HR action requests that are not submitted or submitted late, impact the data integrity of HRMS.

The audit team excluded assessing timeliness of the integrity of data in HRMS from the scope as HCM’s service standards were under review. There is an audit of HCM HR service delivery on the OCAE Risk-Based Audit Plan 2016-2019.

Workforce Dashboard as at December 31, 2016

The audit team expected controls to be in place to verify the accuracy of workforce dashboards before they were released to Senior Management. The audit team used the December 2016 Workforce Dashboard and compared the results with the HRMS database as at December 31, 2016. The audit team found a difference of ten employees for the total employee count; there was no control to verify the accuracy of data prior to releasing the dashboard to Senior Management.

TBS Classification Policy Monitoring Report 2016

The audit team expected that controls would be in place to verify the accuracy of HR reports before they were released to Central Agencies. In September 2016, Global Affairs Canada reported to the TBS on a fair and accurate representation of the classification program within its Department. The audit team selected data entries reported by category of classification actions, and compared them with HRMS information for the same period of April 2015 to August 2016.

The audit team found no control to verify the accuracy and completeness of data on the 2016 TBS Classification Policy Monitoring Report prior to its release to the Central Agency. The Classification Centre of Expertise (HSOE) could not provide the methodology used to produce the number of HR activities for the reporting period. As a result, the audit team was unable to confirm the number of classification actions reported to the TBS. HSOE developed a 2017 Draft Classification Action Plan to ensure better reporting to the TBS in 2018. The plan outlines HRMS limitations related to data integrity and monitoring activities. Examples of limitations are as follows:

• one HR classification action request may refer to multiple actions but the system would count only one;
• bulk data entries such as positions abolished or changes to service codes are not captured as HR classification actions; and,
• not all clients used the HR classification action standardized-system form to initiate their requests.

Compensation information sent to third-party service provider 

The audit team expected that proper control mechanisms would be in place to ensure the integrity of the compensation information sent to PSPC.

A Pay Action Request (PAR) must be completed for all pay related requests or general enquiries submitted to the PSPC. The business process of creating a PAR is illustrated in Appendix C. The Workplace Relations and Corporate Health Bureau (HWD) sent 13,330 PARs to the PSPC between January and December 2016. Global Affairs Canada has not put in place control mechanisms over and above what is required by PSPC to ensure the data integrity of compensation information sent to the PSPC, with the exception of the trusted source field being reviewed for compliance for some requests.

However, the audit team found no significant discrepancies in seven of the 21 critical HRMS fields tested as part of the audit procedures related to HRMS data inputs and outputs. These included: Last Name; Date of Birth; Gender; Language Code; Classification Code; Employee Classification; and Full and Part-Time status.

Recommendation 5:

The ADM of HCM should ensure that HR reports to senior management, central agencies and third party service providers is properly documented and reviewed for accuracy. 

3. Conclusion

In conclusion, Global Affairs Canada has measures in place to ensure that human resources related activities are supported by accurate, complete, and timely data. However, there are important areas for data integrity improvement. Specifically:

• The current governance structure provides limited oversight of HRMS data integrity, as in-depth technical expertise is missing to identify needs and propose solutions, and to allow for an integrated and detailed discussion on HRMS data quality.
• Roles and responsibilities related to HRMS data integrity are not clearly defined.
• Although there is a process in place to track, monitor and report on HRMS data integrity, Global Affairs Canada does not conduct a risk analysis on data errors, [REDACTED]
• [REDACTED] Data entry in HRMS was accurate when supported by a standardized-system form. However, data entry is not always supported by documented standing procedures. The HRMS data integrity rate for the period under scope was 81%.
• The Business Intelligence (BI) Organizational Chart Tool was not properly calibrated and produced erroneous organization charts; it was subsequently corrected by management and now works as intended.
• There is no control in place for data outputs to verify the accuracy of HR data before release to senior management or submission of mandatory HR reports to central agencies and third-party service providers.

Appendix A: About the Audit

Objectives, Criteria, Scope and Methodology of the Audit

Objectives and criteria

The audit objective is to provide assurance that Global Affairs Canada has measures in place to ensure that HR activities are supported by accurate, complete and timely data. This engagement will examine the management and controls related to the collection and use of Global Affairs Canada HR data via systems such as HRMS.

The following criteria were used for the audit:

Criteria

• 1.  Global Affairs Canada has a management framework in place to support HRMS data integrity.

Sub-criteria

• 1.1 Governance. Global Affairs Canada’s governance regime related to HRMS is well defined and applied for the review and oversight of stakeholder needs and data integrity.
• 1.2 Accountability, roles and responsibilities. Accountability, roles and responsibilities of staff related to HRMS data integrity, such as input, users-access, and monitoring are defined, communicated and documented.
• 1.3 Operational framework.  The operational framework related to HRMS data integrity is defined by policies, directives and tools.
• 1.4 Control framework. Global Affairs Canada’s control framework includes appropriate balance of preventive and detective controls, and an appropriate balance of manual and automated controls, to mitigate risks to HRMS data integrity.
• 1.5 Monitoring. There is a process established to track, monitor and report on HRMS data integrity, and to take corrective measures, when needed.

Criteria

• 2.  Global Affairs Canada’s HRMS provides quality information, supports strategic requirements, and facilitates decision-making and reporting.

Sub-criteria

• 2.1 Action plans to correct information within the Department’s organizational charts were effective.
• 2.2 User accesses to HRMS have been adequately granted and the levels of authority for the approval are adequate.
• 2.3 Controls are in place to verify the accuracy of HR reports and dashboards prior to their release.
• 2.4 Monitoring activities related to human resources data integrity are effective and reliance on them can be established.
• 2.5 HCM ensures that information related to pay sent to the Public Service Pay Centre has been verified for quality assurance.

Scope

The audit focused on governance, processes and controls, tools and training to support adequate HR data integrity.

Specifically, due to the issues related to the Government of Canada third party service provider, the audit examined the information Global Affairs Canada sends to the service provider to ensure that the Department provides accurate and quality data to the pay centre.

The audit period covered activities from January 1, 2016, to February 28, 2017.

The audit focussed on CBS thus excluding activities related to Locally-Engaged Staff employees, as these are not used for compensation purposes and are not currently included in HCM’s report on data integrity. The audit did not focus on activities regarding missions abroad. The audit excluded common services delivered by other government departments (e.g. compensation).

Methodology

The audit was conducted in conformance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and with the Treasury Board Policy and Directive on Internal Audit. These standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that the audit objective is achieved. 

In order to conclude on the audit objectives, the following methods were used to gather evidence:

• Identify and review relevant policies, directives, and guidelines;
• Review and analyze relevant documents related to operations;
• Data analysis;
• Interviews with departmental officials;
• Walkthroughs of processes and systems, and identification of key controls;
• Select samples of transactions for conducting detailed testing;
• Analyze financial and non-financial information;
• Other relevant methods as deemed necessary by the audit team; and,
• Use of evidence already gathered through previous preliminary study and audit.

Appendix B:  Roles and responsibilities of data quality

Source: Adapted from COBIT 5 - Prepared by the audit team and agreed to by Global Affairs Canada’s Human Resources Branch (HCM).

Appendix C:  Business Process - Flowcharts

Source: HR Action Request Process Flowchart prepared by the Office of the Chief Audit Executive, approved by Global Affairs Canada’s Human Resources Branch (HCM).

Source: HR Action Request Process Flowchart prepared by the Office of the Chief Audit Executive, approved by Global Affairs Canada’s Human Resources Branch (HCM).

Source: Pay Action Request Process Flowchart prepared by OCAE, approved by Global Affairs Canada’s Compensation Unit (HWCD).

Appendix D:  Management Action Plan